Hackers Seized on the Pandemic. Some States Are Fighting Back.


Cyberattackers have forced states to take down websites, stolen $36 billion in unemployment payments and exposed millions of residents’ personal information to scammers.

COVID-19 made its U.S. debut in Washington state, but the virus was only the first of several intruders to attack the state in the past year.

Last spring, cybercriminals breached the state’s unemployment system. Washington was one of the states affected by the massive SolarWinds hack, which was discovered in December. And earlier this month, the state auditor’s office disclosed that fraudsters had exposed the personal information of more than a million residents.

“We have a serious governance and oversight problem,” said Washington state Sen. Reuven Carlyle, a Democrat who chairs the Senate Environment, Energy & Technology Committee. “The state auditor breach is historically serious, on every level. And we’ve had four or five major cyber incidents in the last year.”

Rocked by the massive SolarWinds hack, unemployment system breaches and other attacks, several states are trying to bolster their cybersecurity in the midst of the public health crisis.

“If there’s ever been a year to reprioritize and make sure your cybersecurity is taken care of, this is it,” said Forrest Senti, a vice president at the National Cybersecurity Center, a nonprofit think tank based in Colorado Springs, Colorado. “These attacks are precursors to what could happen if we’re not investing properly and doing training and listening to those who know how to deal with this. We don’t want cyber 9/11.”

Cyberattackers have forced states to take down websites, stolen $36 billion in unemployment payments and exposed millions of residents’ personal information to scammers.

In Washington state, lawmakers are proposing to centralize agencies’ cybersecurity practices. In Minnesota, they’re considering creating a joint legislative cybersecurity commission. In Maine, Democratic Gov. Janet Mills issued an executive order establishing a cybersecurity advisory council. And in Texas, state officials are teaming up with a private security company to provide cybersecurity defense services to state and local agencies, after a series of ransomware attacks.

Meredith Ward, policy and research director at the National Association of State Chief Information Officers, said attacks during the pandemic have brought more awareness to the need for stronger protections.

Cybercriminals have had new opportunities to disrupt, she said, whether it’s trying to target the supply chain or launch ransomware attacks on hospitals and health care systems.

“Unfortunately, the bad guys seize on every opportunity they can. That’s what we’ve seen during the pandemic and with these high-profile cyber incidents,” Ward said. “It’s brought attention to what state chief information officers and chief information security officers have been struggling with for a while.”

SolarWinds Attack

The SolarWinds espionage hack, which according to federal officials likely came from Russia, was one of the largest cyberattacks in recent memory. To access information, sophisticated cybercriminals hacked into and hid malicious code in a software update from SolarWinds, an Austin, Texas, technology company.

It was distributed to thousands of public and private sector customers in the U.S. Among them: Microsoft, Cisco and the U.S. Justice and Commerce departments.

Several universities were victims as well, including Iowa State and Kent State universities.

The hackers also hit Pima County, Arizona, where an official wouldn’t disclose the extent of the attack, but said there was no indication any data had been stolen.

At least three state governments were breached in the SolarWinds attack, Bloomberg has reported.

A spokesperson for the Virginia State Corporation Commission, which regulates utilities, insurance and other institutions in the state, later confirmed it had been one of the targets. Carlyle, the Washington state lawmaker, told Stateline that his state also was hit. The third state has not been identified.

Alerts from the federal Cybersecurity and Infrastructure Security Agency warned that the SolarWinds campaign posed “a grave risk” to federal, state and local governments, and private companies. The hackers had the “resources, patience, and expertise to gain access to and privileges over highly sensitive information if left unchecked,” the agency cautioned.

Brett Callow, a threat analyst for cybersecurity company Emsisoft, said these types of attacks are very hard to defend against because they come through organizations’ legitimate vendors.

Unlike ransomware attackers, who are motivated by greed, hijacking computer systems and holding them hostage until their victims pay a ransom or restore systems on their own, the SolarWinds hackers were out to get information, cybersecurity experts say.

Callow describes the SolarWinds hack as “possibly the most serious cybersecurity incident of recent times.”

Callow said many governments, hamstrung by other budget priorities, are reluctant to invest enough in cybersecurity. But with so many recent attacks, he added, that may be changing. “There’s a greater focus on cybersecurity now than there has been,” he said.

Washington State Struck

The SolarWinds attack wasn’t Washington state’s only cyber crisis this past year.

In late spring, Washington was one of more than a half-dozen states victimized in a massive fraud scheme in which cybercriminals struck unemployment systems, which already were overburdened with a huge influx of claims.

The fraudsters apparently used information about people they may have gotten from previous hacks to file fraudulent claims on behalf of those who hadn’t been laid off, without their knowledge.

A cybersecurity company linked the attacks to a Nigerian crime ring it nicknamed Scattered Canary. Washington state officials say they were scammed out of hundreds of millions of dollars in fraudulent claims. The ring also apparently hit Florida, Rhode Island and Wyoming, among other states, according to The New York Times.

Earlier this month, the U.S. Department of Labor announced $49 million in grants to 27 states to combat fraud in their pandemic unemployment assistance programs.

“Criminal organizations have tested the integrity of individual state unemployment systems, quickly exposing vulnerabilities,” the agency said in a news release. “In recent months, state unemployment programs have detected significantly more fraudulent attacks while new schemes emerge daily.”

Months after the first unemployment cyberattack on Washington state, it was struck again.

On Feb. 1, State Auditor Pat McCarthy disclosed a massive data breach in her office. Hackers had compromised a software vendor’s data transfer services in December, exposing the Social Security, bank account numbers and other personal information of at least 1.4 million Washingtonians who filed for unemployment benefits last year.

That data had been collected as part of the state auditor’s investigation into the earlier unemployment fraud scam.

Lawmakers React

In response to the attacks, a group of Washington state senators this month introduced a measure to bolster cybersecurity, at the request of Democratic Gov. Jay Inslee.

The bill would create an Office of Cybersecurity by statute within the office of the state chief information officer. The office would set standards and policies for safely storing sensitive data and develop a centralized cyber protocol for all state agencies, including those run by independently elected officials, such as the state auditor.

“Here we are, the home of some of the premier IT companies on the planet, and our cybersecurity and IT systems simply don’t reflect that qualify,” said Carlyle, the bill’s primary sponsor.

Carlyle said his state has nine independently elected state officials, and each agency is convinced it can manage its own data.

“We have a decentralized, go-it-alone approach in this state, and it simply is not working,” he said.

Many lawmakers in Minnesota also are concerned about an uptick in cyberattacks against their state.

A bipartisan group of state representatives there introduced a bill this month that would create a joint House and Senate legislative commission on cybersecurity. The panel would review state agencies’ cybersecurity policies and practices and recommend changes to protect the state from cyberthreats.

Democratic state Rep. Kristin Bahner, the bill’s primary sponsor, said Minnesota has seen some “dramatic” cyberattacks during the pandemic.

After the civil unrest that followed George Floyd’s killing in Minneapolis in May, the hacker group Anonymous breached the state Senate’s website, forcing officials to take it down.

Then, in June, Minnesota was struck by a torrent of denial-of-service attacks, in which hackers try to knock websites offline by flooding them with traffic.

“In a time of incredible turmoil, there were cybercriminals waiting to exploit that and take advantage,” Bahner said.

The state needs to make sure its websites aren’t tampered with, and it must protect residents’ personal data, whether it’s driver’s license information, Social Security or bank account numbers, she said.

“Our citizens will not be so forgiving if we allow someone to access their critical data or shut down services they rely on. There’s a new interest and understanding on both sides of the aisle.”

This article was originally published by Stateline, an initiative of The Pew Charitable Trusts.